Category Archives: Control Systems

Lot’s of news recently about a resurgence of the Havex malware. Here’s why (and why you should care)

‘Old’ Attack Vectors

There are a number of tried and true ways to get malware onto a target system, most common is via email. The attacker sends an email to the target with a file and hopes the target opens that attachment. There are a few tricks to this:
Email Attachment

Hope the target environment doesn’t block your attachment

Because of point 1, attacker has to use malware embedded in a common file format, such as pdf/doc/xls

Reliability of the malware reduces (as a result of point 2)

Attacker Used Spam! It’s Not Very Effective

An alternate to plain attachment vectors is to insert a web link that sends the target to a malware infested domain. A bit more sophisticated, this domain can now collect browser/system information and craft the malware page accordingly. Attacker still has to rely on the target:
Link to Malware Site

CVI and CFAT information are regulated by DHS and relate to Chemical Vulnerability Information and Chemical Facility Anti-Terrorism. If your company has CVI responsibilities, how are you managing access to the information and assets in your organization by vendors, visitors, technicians, and security staff?

Without a solid visitor management approach, you end up in a situation where people who are knowledgeable of significant vulnerabilities may not have been trained on how to handle that information. Get CVI certified, register all your vendors with this certification, and know how, when, and where they touch your critical CVI.

Chemical Vulnerability Information or CVI is information that is intended to be protected by DHS directive. Companies that handle chemicals, be it for manufacturing, food production, or other purposes, have an obligation to protect this information. With that obligation comes a need for companies to have a way to ensure they can prove that the information is protected, and to follow certain procedures in order to ensure their employees, contractors, and vendors also protect this information.

The first step in dealing with CVI is to cover the basic handling instructions. DHS has provided documents and training to ensure that these practices are carried out in a timely and organized manner. The actual practices are:

• Storage of CVI • Marking of CVI • Transmission of CVI • Responsibilities when in transit with CVI • Destruction of CVI

The DHS directive in 6CFR S 27.400 (e) (3) indicates that DHS provided CVI Training is necessary and appropriate for anyone who will access, use, store, mark, transmit, mange, or destroy this information. Thankfully, this training is publicly available, free, and not too difficult for individuals to acquire. By going to this link http://www.dhs.gov/training-chemical-terrorism-vulnerability-information, staff, contractors, consultants, or other individuals at your organization can take this training.

These staff members should report to the organization that they have had training, and provide their certification number. That information should be stored, and used to ensure that exposure to this kind of information is managed effectively. If you have new vendors or contractors that visit your site, you should prevent access to areas that will expose this information, or access to the actual assets that are protected, if the individual has not had this training.

Using a tool like the Alert Enterprise Guardian Express and Visitor Management, you can manage visitor access, check your HR systems, or even store certification numbers for staff, ensuring that your CVI is protected. Having a fully audited workflow, individuals can be approved once credentials have been validated, ensuring that you are proactively meeting the CVI and CFAT standards put forth by DHS.

If you would like to better understand how Alert Enterprise can help you to protect your CVI assets, and also manage your overall security posture and risk, please contact us to discuss.

As provided by 6 CFR S 27.400(e) (3), DHS has determined that, except under emergency or exigent circumstances, successful completion of DHS-provided CVI training is a necessary and appropriate condition for any individual’s access to CVI. DHS reserves the right under 6 CFR S 27.400(e)(2) (iii) to require non-disclosure agreements in the future, as appropriate, as a condition for becoming an Authorized User or otherwise obtaining access to CVI.

“Role” can be defined as a technical phrase being used for the collection of individual privileges (access to company assets) which are assigned to an individual to perform his job. AlertEnterprise delivers a unique solution for Role Management across various external systems including physical & logical.

Eg. When any person joins the organization, apart from creating/managing his digital identity, it is equally important to provide access to the devices (physical/logical) where he is supposed to work. Both of these things are well managed by the Role Module incorporated into the AlertEnterprise application.read more

On June 26, 2009 in a congressional roll call joint statement issued by four powerful congressional leaders (Thompson, Waxman, Jackson Lee and Markey) called for support for the bill HR 2868 that would grant Department of Homeland Security the authority to make the CFATS program permanent going forward. Some of the important provisions of this bill include reducing the threshold amounts of dangerous chemicals or switching to safer chemicals. Additionally water treatment and distribution systems, waste water treatment and port facilities would no longer be exempt from complying with these safety provisions.read more